On Thu, 8 May 2003, Bruno Wolff III wrote:
> On Fri, May 09, 2003 at 00:59:58 +0200,
> Kurt Roeckx <Q@ping.be> wrote:
> >
> > There are. You can even make an authoritative nameserver return
> > a wrong answer.
>
> This is incorrect.
Actually, you can quite easily make an authoratative nameserver return
an incorrect answer through cache poisoning, if the particular software
and version happens to have that bug and recursive searches are turned on.
However, it's also possible to set up nameservers securely, so you
shouldn't use this an an excuse never to use hostnames.
> Efficiency. If there are a number of domain name entries you may only
> want to check them when reading hba.conf. This does break some useful
> things about using domain names in hba.conf.
Personally, I think the best way to deal with the issue is, if the
connecting IP address is not found in hba.conf, do an in-addr.arpa
lookup on the IP address and see if you get a hostname. If you do, check
the hba.conf for that hostname. If the hba.conf has the hostname, then
you do a forward lookup on it and make sure that there's an A record
matching that IP address.
Yes, it can slow things down significantly. But you can still always
just hardwire the IP addresses in hba.conf if you want to avoid the
slowdown and the addresses don't change often. However, if the addresses
do change often, this gives you the option of having the server follow
the changes automatically, at the price of a slowdown in connecting.
cjs
--
Curt Sampson <cjs@cynic.net> +81 90 7737 2974 http://www.netbsd.org Don't you know, in this new Dark Age, we're
alllight. --XTC